Trillian allows SSL over AIM protocol [or did allow in .72, haven't checked the RC1 release yet]. lICQ allowed SSL over ICQ as well... so it's there if you're willing to use alternative clients, but most people don't. nick ----- Original Message ----- From: "Alex Lambert" <alambertat_private> To: "Adam Carr" <itsacarrat_private>; <vuln-devat_private> Sent: Tuesday, August 06, 2002 11:15 AM Subject: Re: In regards to the insecurity of AOL Instant Messenger > > Now my question, is how secure are normal "ims" on AIM. How difficult = > > would it be to listen to anothers msgs and if at all possible, how could = > > this be fixed.=20 > > "msgsnarf records selected messages from AOL Instant Mes- > senger, ICQ 2000, IRC, MSN Messenger, or Yahoo Messenger > chat sessions." (msgsnarf(8) manpage) > > AFAIK, none of the above protocols are usually encrypted. dsniff > (http://www.monkey.org/~dugsong/dsniff/dsniff-2.3.tar.gz) can pick them up. > > > > apl > ----- Original Message ----- > From: "Adam Carr" <itsacarrat_private> > To: <vuln-devat_private> > Sent: Monday, August 05, 2002 5:58 PM > Subject: In regards to the insecurity of AOL Instant Messenger > > > > After seeing the recent emails about the hide windows while away = > > function while I don't quite understand that as a security threat this = > > does remind me of other insecurities of AIM and some questions I had as = > > well. > > > > The first threat to AIM users that I am aware of and have tested myself = > > is under Direct Connects with another user. With a targets ip, it is not = > > difficult at all to intercept the dcc's messages and to input your own. = > > Quite frightening. A simple fix is to change the port which AIM direct = > > connects on. Seeing as how my explanations are not that great I invite = > > anyone else who is aware of this to explain that flaw in AIM. > > > > Now my question, is how secure are normal "ims" on AIM. How difficult = > > would it be to listen to anothers msgs and if at all possible, how could = > > this be fixed.=20 > > > > I know AIM has\had it's share of other vulnerabilities so please speak = > > up if you know of any. Thanks ... > > > > Cheers ... > > Adam > > > > > > > > > > >
This archive was generated by hypermail 2b30 : Tue Aug 06 2002 - 10:41:40 PDT